IssueHuntfuture-architect/vuls
posted by kotakanbe over 4 years ago
posted by huikang over 4 years agoposted by huikang over 4 years agoposted by kotakanbe over 4 years agoposted by huikang over 4 years agoposted by kotakanbe over 4 years agoposted by huikang over 4 years ago
The issue has been closed
CPE report is not working #1027
huikang posted onGitHub
Hi, I following the instruction from https://vuls.io/docs/en/usage-scan-non-os-packages.html#host-os to add cpeName to the config file as follows
[servers.local-dockers]
cpeNames = [
"cpe:/a:rubyonrails:ruby_on_rails:4.2.1",
"cpe:2.3:a:postgresql:postgresql:9.6.2:*:*:*:*:*:*:*",
"cpe:/a:kubernetes:kubernetes",
] There are several CVEs in the cve.sqlite I am using.
However, when I run the vuls report command, it does not show the CVEs related to the above cpe
[Jul 29 19:55:47] INFO [localhost] [Reboot Required] local-docker: 458 CVEs are detected with OVAL
[Jul 29 19:55:47] INFO [localhost] [Reboot Required] local-docker: 0 CVEs are detected with CPEAny advice? Thanks.
Hi, @huikang
Scan using CPE requires go-cve-dictionary. Did you fetch it? You can check the fetched-databases with the following command.
ubuntu@dev ~│g│s│g│k│go-cve-dictionary ⎇ master~ ./go-cve-dictionary list
+-----------+----------+------------+-----------------+-----------------+
| SOURCE | YEAR | STATUS | FETCHED | LATEST |
+-----------+----------+------------+-----------------+-----------------+
| NVD(JSON) | 2019 | Up-to-Date | 2020/7/29-03:44 | 2020/7/29-03:44 |
| NVD(JSON) | 2020 | Up-to-Date | 2020/7/29-03:13 | 2020/7/29-03:13 |
| NVD(JSON) | modified | Up-to-Date | 2020/7/29-20:04 | 2020/7/29-20:04 |
| NVD(JSON) | recent | Up-to-Date | 2020/7/29-20:01 | 2020/7/29-20:01 |
+-----------+----------+------------+-----------------+-----------------+@kotakanbe , thanks for your response. Yes, I am sure that I have the cve dictionary in the right place as in the config.toml
[cveDict]
type = "sqlite3"
SQLite3Path = "/root/go-cve-dictionary/cve.sqlite3"+-----------+----------+------------+-----------------+-----------------+
| SOURCE | YEAR | STATUS | FETCHED | LATEST |
+-----------+----------+------------+-----------------+-----------------+
| NVD(JSON) | 2019 | Up-to-Date | 2020/7/29-03:44 | 2020/7/29-03:44 |
| NVD(JSON) | 2020 | Up-to-Date | 2020/7/29-03:13 | 2020/7/29-03:13 |
| NVD(JSON) | modified | Out-Dated | 2020/7/29-14:04 | 2020/7/29-20:04 |
| NVD(JSON) | recent | Out-Dated | 2020/7/29-14:01 | 2020/7/29-20:01 |
+-----------+----------+------------+-----------------+-----------------+BTW, the command I am using for report is
./vuls report -format-json -config=./config.toml --log-dir=vuls-log/@huikang Looking at the results of the list, the fetched data is only for 2019, 2020, vulnerabilities older than 2018 will not be detected.If you also fetch the old year database, older vulnerabilities will be detected.
@kotakanbe , I had the same thought as you described. However, the cpeName contains cpe:/a:kubernetes:kubernetes, which does have CVEs in 2019 and 2020. I verify this by querying the go-cve-dictionary server:
curl --location --request POST 'http://127.0.0.1:1323/cpes' \
--header 'Content-Type: application/json' \
--data-raw '{
"name": "cpe:/a:kubernetes:kubernetes"
}'
[
{
"CveID": "CVE-2019-11251",
"NvdJSON": {
"CveID": "CVE-2019-11251",
"Descriptions": [
{
"Lang": "en",
"Value": "The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree."
}
],So the CVEs of 2019 for kubernetes do exist in the sqlite db.
However, the vuls report does not detect the CVEs.
@huikang It works fine on my environment. A possible cause is that the go-cve-dictionary path is incorrect.
Check the output when running ./vuls report.
INFO[0000] -cvedb-type: sqlite3, -cvedb-url: , -cvedb-path: /home/ubuntu/go/src/github.com/kotakanbe/go-cve-dictionary/cve.sqlite3
ubuntu@dev ~│g│s│g│f│vuls ⎇ master~ tail -n 5 config.toml
[servers.k8s]
type = "pseudo"
cpeNames = [
"cpe:/a:kubernetes:kubernetes"
]
ubuntu@dev ~│g│s│g│f│vuls ⎇ master~ ./vuls scan k8s
[Jul 30 11:54:25] INFO [localhost] Start scanning
[Jul 30 11:54:25] INFO [localhost] config: /home/ubuntu/go/src/github.com/future-architect/vuls/config.toml
[Jul 30 11:54:25] INFO [localhost] Validating config...
[Jul 30 11:54:25] INFO [localhost] Detecting Server/Container OS...
[Jul 30 11:54:25] INFO [localhost] Detecting OS of servers...
[Jul 30 11:54:25] INFO [localhost] (1/1) Detected: k8s: pseudo
[Jul 30 11:54:25] INFO [localhost] Detecting OS of containers...
[Jul 30 11:54:25] INFO [localhost] Checking Scan Modes...
[Jul 30 11:54:25] INFO [localhost] Detecting Platforms...
[Jul 30 11:54:25] INFO [localhost] (1/1) k8s is running on other
[Jul 30 11:54:25] INFO [localhost] Detecting IPS identifiers...
[Jul 30 11:54:25] INFO [localhost] (1/1) k8s has 0 IPS integration
[Jul 30 11:54:25] INFO [localhost] Scanning vulnerabilities...
[Jul 30 11:54:25] INFO [localhost] Scanning vulnerable OS packages...
One Line Summary
================
k8s pseudo 0 installed, 0 updatable
To view the detail, vuls tui is useful.
To send a report, run vuls report -h.
ubuntu@dev ~│g│s│g│f│vuls ⎇ master~ ./vuls report -format-full-text
[Jul 30 11:54:43] INFO [localhost] Validating config...
[Jul 30 11:54:43] INFO [localhost] Loaded: /home/ubuntu/go/src/github.com/future-architect/vuls/results/2020-07-30T11:54:25+09:00
[Jul 30 11:54:43] INFO [localhost] Validating db config...
INFO[0000] -cvedb-type: sqlite3, -cvedb-url: , -cvedb-path: /home/ubuntu/go/src/github.com/kotakanbe/go-cve-dictionary/cve.sqlite3
INFO[0000] -ovaldb-type: sqlite3, -ovaldb-url: , -ovaldb-path: /home/ubuntu/go/src/github.com/kotakanbe/goval-dictionary/oval.sqlite3
INFO[0000] -gostdb-type: sqlite3, -gostdb-url: , -gostdb-path: /home/ubuntu/go/src/github.com/knqyf263/gost/gost.sqlite3
INFO[0000] -exploitdb-type: sqlite3, -exploitdb-url: , -exploitdb-path: /home/ubuntu/go/src/github.com/vulsio/vulsctl/go-exploitdb.sqlite3
INFO[0000] -msfdb-type: redis, -msfdb-url: redis://localhost/0, -msfdb-path:
INFO[07-30|11:54:43] Opening DB. db=sqlite3
INFO[07-30|11:54:43] Migrating DB. db=sqlite3
INFO[07-30|11:54:43] Opening Database. db=sqlite3
INFO[07-30|11:54:43] Migrating DB. db=sqlite3
INFO[07-30|11:54:43] Opening DB db=redis
INFO[07-30|11:54:43] Migrating DB db=redis
k8s (pseudo)
============
Total: 21 (High:0 Medium:16 Low:5 ?:0), 0/0 Fixed, 0 installed, 0 updatable, 0 exploits, 0 modules, en: 0, ja: 0 alerts
+---------------+----------------------------------------------------------------------------------+
| CVE-2020-8558 | |
+---------------+----------------------------------------------------------------------------------+
| Max Score | 8.8 HIGH (nvd) |
| nvd | 8.8/CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H HIGH |
| nvd | 5.8/AV:A/AC:L/Au:N/C:P/I:P/A:P MEDIUM |
| Summary | The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, |
| | and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent |
| | hosts to reach TCP and UDP services bound to 127.0.0.1 running on the node |
| | or in the node's network namespace. Such a service is generally thought to be |
| | reachable only by other processes on the same host, but due to this defeect, |
| | could be reachable by other hosts on the same LAN as the node, or by containers |
| | running on the same node as the service. |
| CWE | [OWASP Top2] CWE-287: Improper Authentication (nvd) |
| CWE | [CWE Top13] CWE-287: Improper Authentication (nvd) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2020-8558 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2020-8558 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2020-8558 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-287.html |
| OWASP Top10 | https://github.com/OWASP/Top10/blob/master/2017/en/0xa2-broken-authentication.md |
| CWE Top25 | https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html |
+---------------+----------------------------------------------------------------------------------+
+----------------+----------------------------------------------------------------------------------+
| CVE-2019-11248 | |
+----------------+----------------------------------------------------------------------------------+
| Max Score | 8.2 HIGH (nvd) |
| nvd | 8.2/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L HIGH |
| redhat_api | 6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L MODERATE |
| nvd | 6.4/AV:N/AC:L/Au:N/C:P/I:N/A:P MEDIUM |
| Summary | The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet |
| | healthz port. The go pprof endpoint is exposed over the Kubelet's healthz port. |
| | This debugging endpoint can potentially leak sensitive information such as |
| | internal Kubelet memory addresses and configuration, or for limited denial of |
| | service. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The |
| | issue is of medium severity, but not exposed by the default configuration. |
| CWE | [CWE Top4] CWE-200: Information Exposure (nvd) |
| CWE | [OWASP Top5] CWE-284: Improper Access Control (redhat_api) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2019-11248 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2019-11248 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-11248 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-200.html |
| CWE | https://cwe.mitre.org/data/definitions/CWE-284.html |
| OWASP Top10 | https://github.com/OWASP/Top10/blob/master/2017/en/0xa5-broken-access-control.md |
| CWE Top25 | https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html |
+----------------+----------------------------------------------------------------------------------+
+----------------+----------------------------------------------------------------------------------+
| CVE-2019-11243 | |
+----------------+----------------------------------------------------------------------------------+
| Max Score | 8.1 HIGH (nvd) |
| nvd | 8.1/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H HIGH |
| redhat_api | 3.1/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N LOW |
| nvd | 4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N MEDIUM |
| Summary | In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() |
| | method returns a copy of the provided config, with credentials removed (bearer |
| | token, username/password, and client certificate/key data). In the affected |
| | versions, rest.AnonymousClientConfig() did not effectively clear service account |
| | credentials loaded using rest.InClusterConfig() |
| CWE | CWE-255: (nvd) |
| CWE | [CWE Top4] CWE-200: Information Exposure (redhat_api) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2019-11243 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2019-11243 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-11243 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-255.html |
| CWE | https://cwe.mitre.org/data/definitions/CWE-200.html |
| CWE Top25 | https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html |
+----------------+----------------------------------------------------------------------------------+
+----------------+----------------------------------------------------------------------------------+
| CVE-2019-11247 | |
+----------------+----------------------------------------------------------------------------------+
| Max Score | 8.1 HIGH (nvd) |
| nvd | 8.1/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N HIGH |
| redhat_api | 5.0/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L MODERATE |
| nvd | 6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P MEDIUM |
| Summary | The Kubernetes kube-apiserver mistakenly allows access to a cluster-scoped |
| | custom resource if the request is made as if the resource were namespaced. |
| | Authorizations for the resource accessed in this manner are enforced using |
| | roles and role bindings within the namespace, meaning that a user with access |
| | only to a resource in one namespace could create, view update or delete |
| | the cluster-scoped resource (according to their namespace role privileges). |
| | Kubernetes affected versions include versions prior to 1.13.9, versions prior to |
| | 1.14.5, versions prior to 1.15.2, and versions 1.7, 1.8, 1.9, 1.10, 1.11, 1.12. |
| CWE | CWE-264: (nvd) |
| CWE | [OWASP Top5] CWE-284: Improper Access Control (redhat_api) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2019-11247 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2019-11247 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-11247 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-264.html |
| CWE | https://cwe.mitre.org/data/definitions/CWE-284.html |
| OWASP Top10 | https://github.com/OWASP/Top10/blob/master/2017/en/0xa5-broken-access-control.md |
+----------------+----------------------------------------------------------------------------------+
+----------------+---------------------------------------------------------------------------------------------------------------+
| CVE-2019-11245 | |
+----------------+---------------------------------------------------------------------------------------------------------------+
| Max Score | 7.8 HIGH (nvd) |
| nvd | 7.8/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H HIGH |
| redhat_api | 4.9/CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L MODERATE |
| nvd | 4.6/AV:L/AC:L/Au:N/C:P/I:P/A:P MEDIUM |
| Summary | In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify |
| | an explicit runAsUser attempt to run as uid 0 (root) on container restart, |
| | or if the image was previously pulled to the node. If the pod specified |
| | mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. |
| | If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the |
| | container as uid 0. |
| Mitigation | There are two potential mitigations to this issue: 1. Downgrade to kubelet v1.13.5 or |
| | v1.14.1 as instructed by your Kubernetes distribution. 2. Set RunAsUser on all pods in the |
| | cluster that should not run as root. This is a Security Context feature; the docs are at |
| | https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod |
| CWE | CWE-266: Incorrect Privilege Assignment (redhat_api) |
| CWE | CWE-264: (nvd) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2019-11245 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2019-11245 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-11245 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-266.html |
| CWE | https://cwe.mitre.org/data/definitions/CWE-264.html |
+----------------+---------------------------------------------------------------------------------------------------------------+
+----------------+----------------------------------------------------------------------------------+
| CVE-2019-11253 | |
+----------------+----------------------------------------------------------------------------------+
| Max Score | 7.5 HIGH (nvd) |
| nvd | 7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H HIGH |
| redhat_api | 7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H IMPORTANT |
| nvd | 5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P MEDIUM |
| Summary | Improper input validation in the Kubernetes API server in versions v1.0-1.12 |
| | and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized |
| | users to send malicious YAML or JSON payloads, causing the API server to consume |
| | excessive CPU or memory, potentially crashing and becoming unavailable. Prior |
| | to v1.14.0, default RBAC policy authorized anonymous users to submit requests |
| | that could trigger this vulnerability. Clusters upgraded from a version prior to |
| | v1.14.0 keep the more permissive policy by default for backwards compatibility. |
| CWE | [CWE Top3] CWE-20: Improper Input Validation (nvd) |
| CWE | [CWE Top20] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') |
| | (redhat_api) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2019-11253 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2019-11253 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-11253 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-20.html |
| CWE | https://cwe.mitre.org/data/definitions/CWE-400.html |
| CWE Top25 | https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html |
+----------------+----------------------------------------------------------------------------------+
+---------------+----------------------------------------------------------------------------------+
| CVE-2019-9946 | |
+---------------+----------------------------------------------------------------------------------+
| Max Score | 7.5 HIGH (nvd) |
| nvd | 7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N HIGH |
| redhat_api | 6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L MODERATE |
| nvd | 5.0/AV:N/AC:L/Au:N/C:N/I:P/A:N MEDIUM |
| Summary | Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) |
| | 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI |
| | 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front |
| | of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. |
| | Because of this, the HostPort/portmap rule could match incoming traffic even if |
| | there were better fitting, more specific service definition rules like NodePorts |
| | later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, |
| | 1.12.7, 1.13.5, and 1.14.0. |
| CWE | CWE-254: (nvd) |
| CWE | CWE-841: Improper Enforcement of Behavioral Workflow (redhat_api) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2019-9946 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2019-9946 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-9946 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-254.html |
| CWE | https://cwe.mitre.org/data/definitions/CWE-841.html |
+---------------+----------------------------------------------------------------------------------+
+----------------+----------------------------------------------------------------------------------+
| CVE-2020-8559 | |
+----------------+----------------------------------------------------------------------------------+
| Max Score | 6.8 MEDIUM (nvd) |
| nvd | 6.8/CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H MEDIUM |
| nvd | 6.0/AV:N/AC:M/Au:S/C:P/I:P/A:P MEDIUM |
| Summary | The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to |
| | v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on |
| | proxied upgrade requests that could allow an attacker to escalate privileges |
| | from a node compromise to a full cluster compromise. |
| CWE | [CWE/SANS Top22] CWE-601: URL Redirection to Untrusted Site ('Open Redirect') |
| | (nvd) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2020-8559 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2020-8559 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2020-8559 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-601.html |
| SANS/CWE Top25 | https://www.sans.org/top25-software-errors/ |
+----------------+----------------------------------------------------------------------------------+
+------------------+----------------------------------------------------------------------------------+
| CVE-2019-1002100 | |
+------------------+----------------------------------------------------------------------------------+
| Max Score | 6.5 MEDIUM (nvd) |
| nvd | 6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MEDIUM |
| redhat_api | 6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MODERATE |
| nvd | 4.0/AV:N/AC:L/Au:S/C:N/I:N/A:P MEDIUM |
| Summary | In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that |
| | are authorized to make patch requests to the Kubernetes API Server can send |
| | a specially crafted patch of type "json-patch" (e.g. `kubectl patch --type |
| | json` or `"Content-Type: application/json-patch+json"`) that consumes excessive |
| | resources while processing, causing a Denial of Service on the API Server. |
| Mitigation | Remove ‘patch’ permissions from untrusted users. |
| CWE | [CWE Top20] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') |
| | (redhat_api) |
| CWE | [CWE Top3] CWE-20: Improper Input Validation (redhat_api) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2019-1002100 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2019-1002100 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-1002100 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-400.html |
| CWE | https://cwe.mitre.org/data/definitions/CWE-20.html |
| CWE Top25 | https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html |
+------------------+----------------------------------------------------------------------------------+
+----------------+----------------------------------------------------------------------------------+
| CVE-2019-11246 | |
+----------------+----------------------------------------------------------------------------------+
| Max Score | 6.5 MEDIUM (nvd) |
| nvd | 6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N MEDIUM |
| redhat_api | 5.3/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N MODERATE |
| nvd | 4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N MEDIUM |
| Summary | The kubectl cp command allows copying files between containers and the user |
| | machine. To copy files from a container, Kubernetes runs tar inside the |
| | container to create a tar archive, copies it over the network, and kubectl |
| | unpacks it on the user’s machine. If the tar binary in the container is |
| | malicious, it could run any code and output unexpected, malicious results. An |
| | attacker could use this to write files to any path on the user’s machine when |
| | kubectl cp is called, limited only by the system permissions of the local user. |
| | Kubernetes affected versions include versions prior to 1.12.9, versions prior |
| | to 1.13.6, versions prior to 1.14.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, |
| | 1.7, 1.8, 1.9, 1.10, 1.11. |
| CWE | CWE-264: (nvd) |
| CWE | CWE-59: Improper Link Resolution Before File Access ('Link Following') |
| | (redhat_api) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2019-11246 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2019-11246 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-11246 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-264.html |
| CWE | https://cwe.mitre.org/data/definitions/CWE-59.html |
+----------------+----------------------------------------------------------------------------------+
+----------------+----------------------------------------------------------------------------------+
| CVE-2019-11249 | |
+----------------+----------------------------------------------------------------------------------+
| Max Score | 6.5 MEDIUM (nvd) |
| nvd | 6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N MEDIUM |
| redhat_api | 4.8/CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N MODERATE |
| nvd | 5.8/AV:N/AC:M/Au:N/C:N/I:P/A:P MEDIUM |
| Summary | The kubectl cp command allows copying files between containers and the user |
| | machine. To copy files from a container, Kubernetes runs tar inside the |
| | container to create a tar archive, copies it over the network, and kubectl |
| | unpacks it on the user’s machine. If the tar binary in the container is |
| | malicious, it could run any code and output unexpected, malicious results. An |
| | attacker could use this to write files to any path on the user’s machine when |
| | kubectl cp is called, limited only by the system permissions of the local user. |
| | Kubernetes affected versions include versions prior to 1.13.9, versions prior |
| | to 1.14.5, versions prior to 1.15.2, and versions 1.1, 1.2, 1.4, 1.4, 1.5, 1.6, |
| | 1.7, 1.8, 1.9, 1.10, 1.11, 1.12. |
| CWE | [OWASP Top5] CWE-22: Improper Limitation of a Pathname to a Restricted Directory |
| | ('Path Traversal') (redhat_api) |
| CWE | [CWE Top10] CWE-22: Improper Limitation of a Pathname to a Restricted Directory |
| | ('Path Traversal') (redhat_api) |
| CWE | [CWE/SANS Top13] CWE-22: Improper Limitation of a Pathname to a Restricted |
| | Directory ('Path Traversal') (redhat_api) |
| CWE | CWE-264: (nvd) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2019-11249 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2019-11249 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-11249 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-22.html |
| CWE | https://cwe.mitre.org/data/definitions/CWE-264.html |
| OWASP Top10 | https://github.com/OWASP/Top10/blob/master/2017/en/0xa5-broken-access-control.md |
| CWE Top25 | https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html |
| SANS/CWE Top25 | https://www.sans.org/top25-software-errors/ |
+----------------+----------------------------------------------------------------------------------+
+----------------+----------------------------------------------------------------------------------+
| CVE-2019-11250 | |
+----------------+----------------------------------------------------------------------------------+
| Max Score | 6.5 MEDIUM (nvd) |
| nvd | 6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N MEDIUM |
| redhat_api | 4.4/CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N MODERATE |
| nvd | 3.5/AV:N/AC:M/Au:S/C:P/I:N/A:N LOW |
| Summary | The Kubernetes client-go library logs request headers at verbosity levels |
| | of 7 or higher. This can disclose credentials to unauthorized users via logs |
| | or command output. Kubernetes components (such as kube-apiserver) prior to |
| | v1.16.0, which make use of basic or bearer token authentication, and run at high |
| | verbosity levels, are affected. |
| CWE | CWE-532: Information Exposure Through Log Files (redhat_api) |
| CWE | CWE-255: (nvd) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2019-11250 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2019-11250 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-11250 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-532.html |
| CWE | https://cwe.mitre.org/data/definitions/CWE-255.html |
+----------------+----------------------------------------------------------------------------------+
+----------------+----------------------------------------------------------------------------------+
| CVE-2019-11252 | |
+----------------+----------------------------------------------------------------------------------+
| Max Score | 6.5 MEDIUM (nvd) |
| nvd | 6.5/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N MEDIUM |
| nvd | 5.0/AV:N/AC:L/Au:N/C:P/I:N/A:N MEDIUM |
| Summary | The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulnerable to |
| | a credential leakage via error messages in mount failure logs and events for |
| | AzureFile and CephFS volumes. |
| CWE | CWE-209: Information Exposure Through an Error Message (nvd) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2019-11252 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2019-11252 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-11252 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-209.html |
+----------------+----------------------------------------------------------------------------------+
+----------------+----------------------------------------------------------------------------------+
| CVE-2019-11254 | |
+----------------+----------------------------------------------------------------------------------+
| Max Score | 6.5 MEDIUM (nvd) |
| nvd | 6.5/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MEDIUM |
| nvd | 4.0/AV:N/AC:L/Au:S/C:N/I:N/A:P MEDIUM |
| Summary | The Kubernetes API Server component in versions 1.1-1.14, and versions prior |
| | to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious |
| | YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while |
| | parsing YAML. |
| CWE | [CWE Top20] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') |
| | (nvd) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2019-11254 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2019-11254 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-11254 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-400.html |
| CWE Top25 | https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html |
+----------------+----------------------------------------------------------------------------------+
+---------------+----------------------------------------------------------------------------------+
| CVE-2020-8551 | |
+---------------+----------------------------------------------------------------------------------+
| Max Score | 6.5 MEDIUM (nvd) |
| nvd | 6.5/CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MEDIUM |
| nvd | 3.3/AV:A/AC:L/Au:N/C:N/I:N/A:P LOW |
| Summary | The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and |
| | 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack |
| | via the kubelet API, including the unauthenticated HTTP read-only API typically |
| | served on port 10255, and the authenticated HTTPS API typically served on port |
| | 10250. |
| CWE | CWE-770: Allocation of Resources Without Limits or Throttling (nvd) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2020-8551 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2020-8551 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2020-8551 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-770.html |
+---------------+----------------------------------------------------------------------------------+
+---------------+----------------------------------------------------------------------------------+
| CVE-2020-8555 | |
+---------------+----------------------------------------------------------------------------------+
| Max Score | 6.3 MEDIUM (nvd) |
| nvd | 6.3/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N MEDIUM |
| nvd | 3.5/AV:N/AC:M/Au:S/C:P/I:N/A:N LOW |
| Summary | The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to |
| | v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side |
| | Request Forgery (SSRF) that allows certain authorized users to leak up to 500 |
| | bytes of arbitrary information from unprotected endpoints within the master's |
| | host network (such as link-local or loopback services). |
| CWE | CWE-918: Server-Side Request Forgery (SSRF) (nvd) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2020-8555 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2020-8555 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2020-8555 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-918.html |
+---------------+----------------------------------------------------------------------------------+
+------------------+----------------------------------------------------------------------------------+
| CVE-2019-1002101 | |
+------------------+----------------------------------------------------------------------------------+
| Max Score | 5.8 MEDIUM (nvd) |
| nvd | 5.5/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N MEDIUM |
| redhat_api | 5.3/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N MODERATE |
| nvd | 5.8/AV:N/AC:M/Au:N/C:N/I:P/A:P MEDIUM |
| Summary | The kubectl cp command allows copying files between containers and the user |
| | machine. To copy files from a container, Kubernetes creates a tar inside the |
| | container, copies it over the network, and kubectl unpacks it on the user’s |
| | machine. If the tar binary in the container is malicious, it could run any code |
| | and output unexpected, malicious results. An attacker could use this to write |
| | files to any path on the user’s machine when kubectl cp is called, limited only |
| | by the system permissions of the local user. The untar function can both create |
| | and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, |
| | v1.13.5, and v1.14.0. |
| CWE | CWE-59: Improper Link Resolution Before File Access ('Link Following') |
| | (redhat_api) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2019-1002101 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2019-1002101 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-1002101 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-59.html |
+------------------+----------------------------------------------------------------------------------+
+----------------+----------------------------------------------------------------------------------+
| CVE-2019-11251 | |
+----------------+----------------------------------------------------------------------------------+
| Max Score | 5.7 MEDIUM (nvd) |
| nvd | 5.7/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N MEDIUM |
| redhat_api | 5.3/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N MODERATE |
| nvd | 4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N MEDIUM |
| Summary | The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to |
| | 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by |
| | tar output of a malicious container to place a file outside of the destination |
| | directory specified in the kubectl cp invocation. This could be used to allow an |
| | attacker to place a nefarious file using a symlink, outside of the destination |
| | tree. |
| CWE | CWE-59: Improper Link Resolution Before File Access ('Link Following') |
| | (redhat_api) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2019-11251 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2019-11251 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-11251 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-59.html |
+----------------+----------------------------------------------------------------------------------+
+---------------+----------------------------------------------------------------------------------+
| CVE-2020-8557 | |
+---------------+----------------------------------------------------------------------------------+
| Max Score | 5.5 MEDIUM (nvd) |
| nvd | 5.5/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MEDIUM |
| nvd | 2.1/AV:L/AC:L/Au:N/C:N/I:N/A:P LOW |
| Summary | The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and |
| | 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own |
| | /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included |
| | by the kubelet eviction manager when calculating ephemeral storage usage by a |
| | pod. If a pod writes a large amount of data to the /etc/hosts file, it could |
| | fill the storage space of the node and cause the node to fail. |
| CWE | [CWE Top20] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') |
| | (nvd) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2020-8557 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2020-8557 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2020-8557 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-400.html |
| CWE Top25 | https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html |
+---------------+----------------------------------------------------------------------------------+
+----------------+----------------------------------------------------------------------------------+
| CVE-2019-11244 | |
+----------------+----------------------------------------------------------------------------------+
| Max Score | 5.0 MEDIUM (nvd) |
| nvd | 5.0/CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N MEDIUM |
| redhat_api | 3.3/CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N LOW |
| nvd | 1.9/AV:L/AC:M/Au:N/C:N/I:P/A:N LOW |
| Summary | In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location |
| | specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with |
| | world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed |
| | at a different location accessible to other users/groups, the written files may |
| | be modified by other users/groups and disrupt the kubectl invocation. |
| Mitigation | Do not use --cache-dir, or ensure that --cache-dir is not set to a location that |
| | other users have access to. |
| CWE | [CWE Top16] CWE-732: Incorrect Permission Assignment for Critical Resource |
| | (redhat_api) |
| CWE | [CWE/SANS Top17] CWE-732: Incorrect Permission Assignment for Critical Resource |
| | (redhat_api) |
| CWE | CWE-264: (nvd) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2019-11244 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2019-11244 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-11244 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-732.html |
| CWE | https://cwe.mitre.org/data/definitions/CWE-264.html |
| CWE Top25 | https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html |
| SANS/CWE Top25 | https://www.sans.org/top25-software-errors/ |
+----------------+----------------------------------------------------------------------------------+
+---------------+----------------------------------------------------------------------------------+
| CVE-2020-8552 | |
+---------------+----------------------------------------------------------------------------------+
| Max Score | 4.3 MEDIUM (nvd) |
| nvd | 4.3/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L MEDIUM |
| nvd | 4.0/AV:N/AC:L/Au:S/C:N/I:N/A:P MEDIUM |
| Summary | The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, |
| | and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack |
| | via successful API requests. |
| CWE | CWE-770: Allocation of Resources Without Limits or Throttling (nvd) |
| CPE | cpe:/a:kubernetes:kubernetes |
| Confidence | 100 / CpeNameMatch |
| Source | https://nvd.nist.gov/vuln/detail/CVE-2020-8552 |
| CVSSv2 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2020-8552 |
| CVSSv3 Calc | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2020-8552 |
| CWE | https://cwe.mitre.org/data/definitions/CWE-770.html |
+---------------+----------------------------------------------------------------------------------+
@kotakanbe , thanks so much. I can reproduce your results by adding the following to my config.
[servers.k8s]
type = "pseudo"
cpeNames = [
"cpe:/a:kubernetes:kubernetes"
]It looks like the difference is the type="pseudo" than the host in my original config file.
Another finding is that if I run ./vuls report -format-json, the output is not written to a json file under results directory.
Is this expected for type="pseudo" host?